https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498382#M138862 <P>I gave it a shot unfortunately it didn't work.</P> <P>I have tried this also ( this is based on the <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables">splunk date time doc</A> ) with no luck. Any other ideas?<BR /> %b %e %Y %l:%M%p</P> <P>logs<BR /> | xyz.a | 94 | 3100 | 2605 | 0 | 84 | | Dec 3 2019 1:01AM | destructive |<BR /> | xyz.b| 94 | 45476 | 31607 | 1 | 70 | 166428 | Dec 3 2019 1:25AM | keeponline |<BR /> | xtf.j| 94 | 3100 | 3044 | 0 | 98 | | Dec 3 2019 1:02AM | destructive |</P> Tue, 10 Dec 2019 00:25:38 GMT Melstrathdee 2019-12-10T00:25:38Z https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498380#M138860 <P>Hello,<BR /> I'm having trouble extracting the following timestamp for one source, is there someone here that can recommend what values to put into the $SPLUNK_HOME/etc/system/default/local file under the TIME_FORMAT attribute?</P> <P>Dec 3 2019 12:59AM </P> <P>I have set TIME_FORMAT to be %b %#d %Y %l:%M%p but it is ignoring the AM or PM</P> <P>I am getting an error could not use strptime to parse timestamp from | xyz.com | 94 | 2051 | 436 | 0 | 21 | | Dec 3 2019 12:59AM | destructive |</P> <P>and it is returning this is the timestamp 12/3/19 12:59:00.000 PM</P> <P>Thank you</P> Wed, 30 Sep 2020 03:12:31 GMT https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498380#M138860 Melstrathdee 2020-09-30T03:12:31Z https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498381#M138861 <P>in props.conf</P> <P>[yoursourcetype]<BR /> TIME_FORMAT = %b %d %Y %I:%M%p</P> Mon, 09 Dec 2019 06:28:14 GMT https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498381#M138861 thambisetty 2019-12-09T06:28:14Z https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498382#M138862 <P>I gave it a shot unfortunately it didn't work.</P> <P>I have tried this also ( this is based on the <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables">splunk date time doc</A> ) with no luck. Any other ideas?<BR /> %b %e %Y %l:%M%p</P> <P>logs<BR /> | xyz.a | 94 | 3100 | 2605 | 0 | 84 | | Dec 3 2019 1:01AM | destructive |<BR /> | xyz.b| 94 | 45476 | 31607 | 1 | 70 | 166428 | Dec 3 2019 1:25AM | keeponline |<BR /> | xtf.j| 94 | 3100 | 3044 | 0 | 98 | | Dec 3 2019 1:02AM | destructive |</P> Tue, 10 Dec 2019 00:25:38 GMT https://community.splunk.com/t5/Splunk-Search/correct-TIME-FORMAT-for-time-stamp/m-p/498382#M138862 Melstrathdee 2019-12-10T00:25:38Z